[Fedora-directory-users] getting solaris 8 to talk to FDS
Tay, Gary
Gary_Tay at platts.com
Thu Aug 25 14:57:17 UTC 2005
===
Do you still think I need to change my defaultSearchDN? Also, must those ACLs be added
still? Because it looks like you're doing a manual config, right?
===
Yes I think you should set baseDN (defaultSearchBase) to dc=composers,dc=foo,dc=com, NOT dc=foo,dc=com, it should correspond LDAP domain (nisdomain) name, i.e. composers.foo.com, which you set in the rootDN entry nisDomainObject.
Yes set the ACLs to allow proxyAgent to read LDAP DIT. Yes "ldapclient -i" is manul config, I use it as "ldapclient -P" failed me when I tried to use TLS. If "ldapclient -P" works for you with or without TLS, by all mean use this syntax.
You passwd SSD should then be ou=People,dc=composers,dc=foo,dc=com?one
You shadow SSD should then be ou=People,dc=composers,dc=foo,dc=com?one
You group SSD should then be ou=group,dc=composers,dc=foo,dc=com?one
(SSD = serviceSearchDescriptor)
Please re-install FDS7.1 using baseDN=dc=composers,dc=foo,dc=com, and create ldif file to re-populate your LDAP data using this baseDN, including needed DUACongProfile, proxyAgent and sample People/group entries, the proxyAgent DN in your ldif file should be cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com.
# default, profile, composers.foo.com
dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com
defaultSearchBase: dc=composers,dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 149.85.70.17
credentialLevel: proxy
cn: default
defaultSearchScope: one
serviceSearchDescriptor: passwd: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: group: ou=group,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: shadow: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: netgroup: ou=netgroup,dc=composers,dc=foo,dc=com
# tls_profile, profile, composers.foo.com
dn: cn=tls_profile,ou=profile,dc=composers,dc=foo,dc=com
defaultSearchBase: dc=composers,dc=foo,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
bindTimeLimit: 10
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: cnyitlin02.composers.foo.com
credentialLevel: proxy
cn: tls_profile
defaultSearchScope: one
serviceSearchDescriptor: passwd: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: group: ou=group,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: shadow: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: netgroup: ou=netgroup,dc=composers,dc=foo,dc=com
Read Solaris8 "man ldapclient" page, there is no such valid value "default" for "-a" option, please use "-a simple" and rerun "ldapclient -v -i ...", if you omit "-a", it defaults to "none", so proxyDN/PW are not really needed, that was why you have this msg in "ldapclient" result: No proxyDN/proxyPassword required.
/usr/sbin/ldapclient -v -i -a simple -b dc=composers,dc=foo,dc=com -c proxy \
-D cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com -w password \
-S "passwd: ou=People,dc=composers,dc=foo,dc=com?one" \
-S "shadow: ou=People,dc=composers,dc=foo,dc=com?one" \
-S "group: ou=group,dc=composers,dc=foo,dc=com?one" \
-S "netgroup: ou=netgroup,dc=composers,dc=foo,dc=com?one" \
149.85.70.17
You seemed to jump very fast, before checking "id testdba" or "getent passwd testdba", first check these step-by-step:
# ldapclient -l
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com
NS_LDAP_BINDPASSWD= {NS1}...
NS_LDAP_SERVERS= 149.85.70.17
NS_LDAP_SEARCH_BASEDN= dc=composers,dc=foo,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=composers,dc=foo,dc=com?one
# /usr/lib/ldap/ldap_cachemgr -g
Does it say LDAP cache manager is UP and running?
# cat /var/ldap/cachemgr.log
Any critical error?
# ldaplist -l passwd testdba", it should display something like:
dn: uid=testdba,ou=People,dc=composers,dc=foo,dc=com
givenName: Test
sn: DBA
loginShell: /bin/sh
uidNumber: 1111
gidNumber: 111
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testdba
cn: Test DBA
homeDirectory: /home/testdba
If "ldaplist -l passwd testdba" fails, don't expect "id testdba" and "getent passwd testdba" to work.
Gary
-----Original Message-----
From: fedora-directory-users-bounces at redhat.com on behalf of Igor
Sent: Thu 8/25/2005 9:39 PM
To: General discussion list for the Fedora Directory server project.
Cc:
Subject: RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
Gary, thank you for the replies. (I do have the patch you mentioned:)
bash-2.03# showrev -p | grep "^Patch: 108993-48"
Patch: 108993-48 Obsoletes: 108827-40, 108991-18, 109322-09, 109461-03, 111641-0
[...]
--- "Tay, Gary" <Gary_Tay at platts.com> wrote:
> 0) As mentioned in previous email, use "ldapclient -i", not "ldapclient
> -P".
>
I did. It kept failing until I got rid of "-a default"
Handling manual option
Unable to set value: invalid authenticationMethod (default)
Getting rid of -a default:
bash-2.03# /usr/sbin/ldapclient -v -i -b dc=foo,dc=com -c proxy -D uid=proxyA
gent,ou=profile,dc=foo,dc=com -w password -S "passwd: ou=People,dc=foo,dc=
com?one" -S "shadow: ou=People,dc=foo,dc=com?one" -S "group: ou=group,dc=caxt
on,dc=com?one" -S "netgroup: ou=netgroup,dc=foo,dc=com?one" 149.85.70.17
Arguments parsed:
defaultSearchBase: dc=foo,dc=com
credentialLevel: proxy
proxyDN: uid=proxyAgent,ou=profile,dc=foo,dc=com
serviceSearchDescriptor:
arg[0]: passwd: ou=People,dc=foo,dc=com?one
arg[1]: shadow: ou=People,dc=foo,dc=com?one
arg[2]: group: ou=group,dc=foo,dc=com?one
arg[3]: netgroup: ou=netgroup,dc=foo,dc=com?one
proxyPassword: password
defaultServerList: 149.85.70.17
Handling manual option
Proxy DN: uid=proxyAgent,ou=profile,dc=foo,dc=com
Proxy password: {NS1}ecfa88f3a945c411
Credential level: 1
Authentication method: 0
Authentication method: 0
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
Stopping ldap
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "composers.foo.com"
file_backup: stat(/var/yp/binding/composers.foo.com)=-1
file_backup: No /var/yp/binding/composers.foo.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname composers.foo.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
System successfully configured
bash-2.03# id testdba
id: invalid user name: "testdba"
bash-2.03#
So, looks like it worked but I can't authenticate any users. id testdba produces traffic
on the FDS server, so it's definitely trying to query it but can't resolve anything.
Also, I have two profiles:
# default, profile, foo.com
dn: cn=default,ou=profile,dc=foo,dc=com
defaultSearchBase: dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 149.85.70.17
credentialLevel: proxy
cn: default
defaultSearchScope: one
# tls_profile, profile, foo.com
dn: cn=tls_profile,ou=profile,dc=foo,dc=com
defaultSearchBase: dc=foo,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
bindTimeLimit: 10
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: cnyitlin02.composers.foo.com
credentialLevel: proxy
cn: tls_profile
serviceSearchDescriptor: passwd: ou=People,dc=foo,dc=com
serviceSearchDescriptor: group: ou=group,dc=foo,dc=com
serviceSearchDescriptor: shadow: ou=People,dc=foo,dc=com
defaultSearchScope: one
My default profile doesn't have those 3 searchDescriptors. Or we are not using profiles
anymore? Just curious...
Do you still think I need to change my defaultSearchDN? Also, must those ACLs be added
still? Because it looks like you're doing a manual config, right?
Thank you for your help, Gary.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 13610 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050825/40f6341f/attachment.bin>
More information about the Fedora-directory-users
mailing list